How to link a Shopify shop to an user of your external service
In the login page, you should send the JWT with the shop name during the login process (your own JWT should be encoded with the app secret as Session Token does which prevents from fraud token insertion by others).
If the user login successfully or the user is already logged-in, store the shop name in your database with the logged-in user ID.
At the next time that the user is already logged-in or log in again, your service already has (know) the record of the ID and shop, and the user no longer needs to go to the Shopify app page.
For publishing your app, this approach to limit the connecting point of your service and Shopify shops to the initial process of install is mandatory (see the guideline).
Note that if your app is non embedded one, you can't get Built for Shopify badge.
Public Token can be used for Storefront API only as X-Shopify-Storefront-Access-Token with unauthenticated scope only which can be revealed without expiration. Private Token can be used for Admin API as X-Shopify-Access-Token like OAuth Token, also for Storefront API as Shopify-Storefront-Private-Token With authenticated and unauthenticated scopes both (but they need to be included by the parent OAuth scopes) which can NOT be revealed and with expiration. Public / Private Token get disabled immediately once the parent OAuth token gets deactivated with the app uninstall or other token handling.
Checkout context depends on BuyerIdentity, so even if you create a checkout with a country locale (e.g. US), if the logged in customer has another country address (e.g. JP), the checkout context gets override with the customer's buyer identity.